CVE-2025-24980 is a vulnerability classified under CWE-204 (Observable Response Discrepancy) affecting the pimcore/admin-ui-classic-bundle, a backend UI component for the Pimcore platform. In versions prior to 1.7.4, the 'Forgot password' functionality leaks information about the existence of user accounts by returning distinct error messages when an invalid or non-existent username/email is submitted. This lack of a generic error message enables an unauthenticated remote attacker to enumerate valid usernames on the system. The vulnerability does not require any privileges or user interaction and can be exploited over the network, increasing its risk profile. Although it does not directly compromise confidentiality, integrity, or availability, user enumeration is a critical reconnaissance step that can facilitate further attacks such as credential stuffing, phishing, or social engineering. The issue was publicly disclosed and assigned CVE-2025-24980 with a CVSS v4.0 base score of 6.9 (medium severity). No known exploits have been reported in the wild, and the vendor has addressed the issue in version 1.7.4. No workarounds are available, making patching the primary mitigation strategy.

For European organizations, this vulnerability primarily impacts the confidentiality of user identity information by allowing attackers to confirm valid accounts. This can lead to increased risk of targeted phishing campaigns, brute force attacks, and credential stuffing, potentially resulting in unauthorized access if weak or reused passwords are present. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, and government, may face compliance and reputational risks if user data is exposed or accounts are compromised. Additionally, attackers could leverage enumerated accounts to launch social engineering attacks against employees or customers. Although the vulnerability does not directly affect system availability or integrity, the indirect consequences of successful follow-on attacks could be severe. The lack of authentication or user interaction requirements means attackers can automate enumeration at scale, increasing exposure. European entities relying on Pimcore for content management or digital experience platforms should consider this a significant risk vector.

The primary mitigation is to upgrade the pimcore/admin-ui-classic-bundle to version 1.7.4 or later, where the issue has been fixed by implementing generic error messages that do not disclose account existence. Until upgrading is possible, organizations should monitor logs for unusual patterns of 'Forgot password' requests indicative of enumeration attempts. Implement rate limiting and CAPTCHA challenges on password reset endpoints to hinder automated attacks. Additionally, enforce strong password policies and multi-factor authentication (MFA) to reduce the impact of credential-based attacks stemming from enumeration. Security teams should conduct regular audits of user accounts and educate users about phishing risks. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block suspicious enumeration activity. Finally, ensure incident response plans include steps for handling potential account compromise resulting from enumeration.